TrendMicro NewsLetter: WORM_MIMAIL.H in Security

TrendMicro NewsLetter: WORM_MIMAIL.H in Security http://www.dslreports.com/forum/r8447697 en Thu, 10 Dec 2009 15:57:27 EDT Thu, 10 Dec 2009 15:57:27 EDT TrendMicro NewsLetter: WORM_MIMAIL.H http://www.dslreports.com/forum/remark,8447697 Randy Bell : WORM_MIMAIL.H is a destructive, memory-resident worm that propagates via its own Simple Mail Transfer Protocol (SMTP) engine. It sends email with the following details, and spoofs the sender email address:

From: john@
Subject: don't be late wgfaxaam
Message Body: Will meet tonight as we agreed, because on Wednesday I don’t think I’ll make it,

so don’t be late. And yes, by the way here is the file you asked for. It’s all written there. See you.

wgfwxaax

Attachment: readnow.zip

This worm randomly performs a Denial of Service (DoS) attack against the following Web sites:

www.spamhaus.org
www.spews.org

WORM_MIMAIL.H runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm drops a copy of itself as CNFRM33.EXE in the Windows folder. It then creates a registry entry so that its dropped copy executes at every Windows startup.

This worm deletes the following files if they exist:

•ZIP.TMP
•EXE.TMP
•EML.TMP

It then creates a copy of itself in the Windows folder using the file name EXE.TMP. It uses this file to create another .ZIP file named ZIP.TMP, which contains a copy of this worm with the file name READNOW.DOC.SCR. This worm creates ZIP.TMP using a hard-coded ZIP header and by appending data (which is a copy of itself) to the file. The resulting .ZIP archive file contains the worm in an uncompressed format. It registers itself as a service process and is not visible in the task list of Windows 95, 98, and ME.

This worm arrives as an email attachment that is a .ZIP file containing a UPX-compressed Win32 .EXE file. It must be manually extracted and executed by the recipient in order to propagate.

It only obtains addresses from files that do not have the following extensions:

•COM
•WAV
•CAB
•PDF
•RAR
•ZIP
•TIF
•PSD
•OCX
•VXD
•MP3
•MPG
•AVI
•DLL
•EXE
•GIF
•JPG
•BMP

It tries to resolve "www.google.com" host name to check if an Internet connection is present. If it is successful, it executes its payload and propagation routines.

If you would like to scan your computer for WORM_MIMAIL.H or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: »housecall.trendmicro.com

WORM_MIMAIL.H is detected and cleaned by Trend Micro pattern file #674 and above.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,8447697 Sat, 08 Nov 2003 00:15:22 EDT